Zeus Malware Goes 64 Bit, Includes Tor Connectivity

The Zeus malware family has been a common sight on the IT threat landscape for years, powering a banking fraud botnet of the same name that U.S. authorities have tried to shut down.

Zeus has now evolved.

Researchers at Kaspersky Lab have detected a new 64-bit variant of the Zeus malware. 64-bit-based operating systems are increasingly becoming the norm, though malware, for the most part, has remained in the 32-bit world. Being 32-bit software doesn't, however, limit the ability of software to run on 64-bit platforms. Most Web browsers in use today even on 64-bit platforms remain 32 bit. Kaspersky is also seeing other noteworthy components in the new 64-bit Zeus variant.

The new version of Zeus also includes Tor connectivity, which is inseparable from the 64-bit version, Kaspersky Lab expert Dmitry Bestuzchev told eWEEK. Tor (The Onion Router) is an anonymous network for routing Internet traffic. "It connects to an onion domain, which means that the command and control server is well-hidden," Bestuzchev said. "Not all malware includes this functionality."

Other security researchers contacted by eWEEK also see the 64-bit variant of Zeus as being noteworthy.

Even though 32-bit code can run on 64-bit machines, this new variant is keeping Zeus ahead of the game, said Tommy Chin, technical support engineer at CORE Security. "They are supporting 64-bit browsers before 64-bit browsers become highly adopted and used by the population," Chin told eWEEK. "By the time 64-bit browsers are mainstream, the 64-bit Zeus will have worked out most, if not all, the 64-bit issues of running natively on this platform."

Sean Bodmer, chief researcher at CounterTack, agrees with the 64-bit threat assessment, noting that 64-bit threats are the next logical evolution of crimeware. With the implementation of 64-bit operating systems and applications, the world believed that systems running this architecture were far less likely to be vulnerable than any 32-bit-based system, Bodmer told eWEEK.

"The functionality of Zeus itself has quite an impact and is very proficient at financially based cyber-crime," Bodmer said. "With all of Zeus’s functionality ported to 64-bit platforms, it seems one mind out there is far superior than the entire 64-bit security architectural designers."

What's noteworthy with the new Zeus malware is that there is a 64-bit piece of code that was hidden inside a more typical 32-bit Zeus variant, Richard Henderson, security strategist at Fortinet's FortiGuard Threat Research Lab, told eWEEK.

"If Zeus was able to determine the infected victim was using a 64-bit OS, the malware would attempt to inject code into some 64-bit processes in the hopes of facilitating its goals, which with Zeus is the capture of banking information," Henderson said. "As far as threat severity, in this specific case, the 64-bit portion of the malware didn't work properly, but perhaps it was just a test to dip its toes into 64-bit waters."

While the specific Zeus 64-bit family is unique, there are other 64-bits pieces of malware in Kaspersky's collection, Kaspersky Lab's Bestuzchev said, adding that it’s logical to expect to get more new 64-bit samples.

With the addition of Tor as the back-end network route for Zeus, Bestuzchev said, it gets more complicated to trace at the network layer. While Tor is used to anonymize traffic, the additional network hops that are taken through multiple onion routers add latency and make the network communications somewhat slower than normal.

When it comes to Zeus, network speed communication is not the most important issue, which is how stealthy and how efficient it is at stealing personal information, Bestuzchev said.

That said, the fact that the 64-bit variant of Zeus is using Tor might also help individuals that might be infected.

"If you see Tor activity and actually don’t use Tor at all, that’s probably the moment to make a manual inspection of the machine," Bestuzchev said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.